Zero Day Initiative – Pwn2Own Ireland 2024: Day 3 Results

SUCCESS – Ha The Long with Ha Anh Hoang from Viettel Cyber ​​Security (@vcslab) used a single command injection flaw to exploit the QNAP TS-464 NAS. Their victory in the fourth round earns them $10,000 and 4 Master of Pwn points.

FAIL – Unfortunately, Sina Kheirkhah (@SinSinology) and Enrique Castillo (@hyprdude) from Summoning Team (@SummoningTeam) were unable to get their Ubiquiti AI Bullet exploit working within the allotted time.

SUCCESS – Pumpkin Chang (@u1f383) and Orange Tsai (@orange_8361) from the DEVCORE research team combined CRLF injection, auth bypass and SQL injection to exploit the Synology BeeStation. You’ll earn $20,000 and 4 Master of Pwn points.

SUCCESS – PHP Hooligans / Midnight Blue (@midnightbluelab) used an OOB write and memory corruption error to get from the QNAP QHora-322 to the Lexmark printer, which they demonstrated by printing their own “cash”. Their successful SOHO Smashup earns them $25,000 and 10 Master of Pwn points.

SUCCESS – Viettel Cyber ​​Security (@vcslab) used a single-type confusion bug to exploit the Lexmark CX331adwe printer. They earn $20,000 and 2 Master of Pwn points.

COLLISION – Our first collision on the third day: The STEALIEN Inc. group successfully destroyed the Lorex camera, but the bug they used had already been demonstrated in the competition. You’ll still earn $3,750 and 1.5 Master of Pwn points.